Investigate Login does not work & Browser Session lost on PHP 5.5#4806

Labels

Milestone

Assignee

3 participants

We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.

We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.

Also whenever sending the Header("Location:..."winking smiley to redirect the browser to a different URL, please use "session_write_close()" before to write the session data. Because the same effect may appear that on redirection the browser session is lost:

On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.

Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).

We use Zend-Server 6.3 with PHP 5.5.7 currently. [session.use_strict_mode] is disabled.
And I disagree to change the PHP.ini which does work for other applications that use sessions heavily (like Wordpress or Magento), especially if there is a easy correction on the apps code that corrects it.

As the server also runs eCommerce applications, we will run with [session.use_strict_mode] in the future to prevent session fixation and have the highest server side security in place.

Also upgrading to PHP 5.5.9 is not an viable option as it is not available for Zend-Server yet. Also here, I disagree to "fix" the server side when there is a code correction the viable option.

I do not understand the comment, why not simply improve the code?

Other applications like Magento work perfectly without change in this environment.

@pisc.software would you mind doing a pull request for your change? If the builds pass, it should be safe to merge and for sure, we'd like to fix it if possible. Btw would be interesting to know if you can replicate on 5.5.9 as well, in case you can easily test it.

Replying to matt:
Yes, thats true. If it has security implications lets just not allow login to anyone using Piwik on Zend-Server with PHP-5.5

Anyway, we invested our time and have a working correction that also does regenerate the Session-ID. Basically the Session-ID is required to be regenerated before the authentication cookie is being sent. Currently that is done afterwards.

We will make a Push-Request, however we do not have access privileges to push the corrected branch to Github.